How to log traffic dropped by Juniper SRX firewalls

Prior to working with Juniper SRX’s my firewall experience was predominantly Check Point. Two nice features of Check Point firewalls are Smart Log and Smart View Tracker which both provide easy access to firewall log records. When I started using SRX’s one of my first questions was how do I get to view dropped traffic?

One of the easiest ways to do this is to use a ‘Default Deny’ template group. Unless explicitly allowed by a Security Policy all traffic is dropped by default, however this traffic isn’t logged. Using a default deny template group and applying it between all Security Zones is the way to get around this and log the traffic being dropped.

About Rich Bibby

Rich Bibby is a UK based Network Engineer, working mainly with Cisco, Juniper and Arista gear in the enterprise LAN, WAN and Data Centre space. Aside from route/switch/firewalling, he is interested in open source network monitoring and management tools, and exploring the possibilities that automation and programmability bring to networking.
Follow Rich on Twitter